The VMware View Agent Configuration ADMX template file (vdm_agent.admx) contains policy settings related to the authentication and environmental components of Horizon Agent.
The ADMX files are available in VMware-Horizon-Extras-Bundle-x.x.x-yyyyyyy.zip, which you can download from the VMware Downloads site at https://my.vmware.com/web/vmware/downloads. Under Desktop & End-User Computing, select the VMware Horizon 7 download, which includes the ZIP file.
The following tables describe policy settings in the VMware View Agent Configuration ADMX template file. The template contains both Computer Configuration and User Configuration settings. The User Configuration setting overrides the equivalent Computer Configuration setting.
Agent Configuration Settings
Agent configuration settings are in the folder in the Group Policy Management Editor.
| Setting | Computer | User | Properties |
|---|---|---|---|
| AllowDirectRDP | X | Determines whether clients other than Horizon Client devices can connect directly to remote desktops with RDP. When this setting is disabled, the agent permits only Horizon-managed connections through Horizon Client. When connecting to a remote desktop from Horizon Client for Mac, do not disable the AllowDirectRDP setting. If this setting is disabled, the connection fails with an Access is denied error. By default, while a user is logged in to a remote desktop session, you can use RDP to connect to the virtual machine. The RDP connection terminates the remote desktop session, and the user's unsaved data and settings might be lost. The user cannot log in to the desktop until the external RDP connection is closed. To avoid this situation, disable the AllowDirectRDP setting.
Important: The Windows Remote Desktop Services service must be running on the guest operating system of each desktop. You can use this setting to prevent users from making direct RDP connections to their desktops.
This setting is enabled by default. |
|
| AllowSingleSignon | X | Determines whether single sign-on (SSO) is used to connect users to desktops and applications. When this setting is enabled, users are required to enter their credentials only once, when they log in to the server. When this setting is disabled, users must reauthenticate when the remote connection is made. This setting is enabled by default. |
|
| CommandsToRunOnConnect | X | Specifies a list of commands or command scripts to be run when a session is connected for the first time. See Running Commands on Horizon Desktops for more information. |
|
| CommandsToRunOnDisconnect | X | Specifies a list of commands or command scripts to be run when a session is disconnected. See Running Commands on Horizon Desktops for more information. |
|
| CommandsToRunOnReconnect | X | Specifies a list of commands or command scripts to be run when a session is reconnected after a disconnect. See Running Commands on Horizon Desktops for more information. |
|
| ConnectionTicketTimeout | X | Specifies the amount of time in seconds that the Horizon connection ticket is valid. Horizon Client devices use a connection ticket for verification and single sign-on when connecting to the agent. For security reasons, a connection ticket is valid for a limited amount of time. When a user connects to a remote desktop, authentication must take place within the connection ticket timeout period or the session times out. If this setting is not configured, the default timeout period is 900 seconds. |
|
| CredentialFilterExceptions | X | Specifies the executable files that are not allowed to load the agent CredentialFilter. Filenames must not include a path or suffix. Use a semicolon to separate multiple filenames. |
|
| Disable Time Zone Synchronization | X | X | Determines whether the time zone of the remote desktop is synchronized with the time zone of the connected client. An enabled setting applies only if the Disable time zone forwarding setting of the Horizon Client Configuration policy is not set to disabled. This setting is disabled by default. |
| Disconnect Session Time Limit (VDI) | X | Specifies the amount of time after which a disconnected desktop session will automatically log off.
You can also configure the time limit in the desktop pool setting Automatically logoff after disconnect in Horizon Administrator or in Horizon Console. If you configure this setting in both places, the GPO value takes precedence. For example, selecting Never here will prevent a disconnected session on this machine from ever logging off, regardless of what is set in Horizon Administrator or in Horizon Console. |
|
| DPI Synchronization | X | X | Adjusts the system-wide DPI setting for the remote session. When this setting is enabled or not configured, the system-wide DPI setting for the remote session is set to match the corresponding DPI setting on the client operating system. When this setting is disabled, the system-wide DPI setting for the remote session is never changed. For a list of the supported guest operating systems, see the "Using DPI Synchronization" topic in the VMware Horizon Client for Windows Installation and Setup Guide document. This setting is enabled by default. |
| DPI Synchronization Per Connection | X | X | Determines whether to adjust the monitor DPI setting when a user reconnects to a remote session. When enabled, this setting sets the monitor DPI setting to match the corresponding DPI setting on the client system when a user reconnects to a remote session. The DPI Synchronization setting must also be enabled. When disabled or not configured, this setting does not change the monitor DPI setting when a user reconnects to a remote session. For a list of the supported guest operating systems, see the "Using DPI Synchronization" topic in the VMware Horizon Client for Windows Installation and Setup Guide document. This setting is disabled by default. |
| Enable Battery State Redirection | X | Determines whether battery state redirection is enabled. This feature is supported with Windows and Linux client systems. When this setting is enabled, information about the Windows or Linux client system's battery is redirected to a Windows remote desktop. The battery icon in the system tray on the remote desktop indicates the battery charge percentage. If the battery charge is less than or equal to 10 percent, a message pops up stating that the battery is low. This setting is enabled by default. |
|
| Enable multi-media acceleration | X | Determines whether multimedia redirection (MMR) is enabled on the remote desktop. MMR is a Windows Media Foundation filter that forwards multimedia data from specific codecs on the remote system directly through a TCP socket to the client. The data is then decoded directly on the client, where it is played. You can disable MMR if the client has insufficient resources to handle local multimedia decoding. This setting is enabled by default. |
|
| Enable Unauthenticated Access | X | Enables or disables the unauthenticated access feature. When this setting is enabled, unauthenticated access users can access published applications from a Horizon Client without requiring AD credentials. When this setting is disabled, unauthenticated access users cannot access published applications from Horizon Client without requiring AD credentials. You must reboot the RDS host for this setting to take effect. This setting is enabled by default. |
|
| Force MMR to use software overlay | X | MMR tries to use the hardware overlay to play back video for better performance. When working with multiple displays, the hardware overlay exists only on one of the displays, either the primary display or the display where WMP was started. If WMP is dragged to another display, the video appears as a black rectangle. Use this option to force MMR to use a software overlay that works on all displays. This setting is enabled by default. |
|
| Idle Time Until Disconnect (VDI) | X | Specifies the amount of time after which a desktop session will disconnect due to user inactivity. If disabled, unconfigured, or enabled with the setting Never, then the desktop sessions will never be disconnected. If the desktop pool or machine is configured to log off automatically after a disconnect, then that setting will be honored. |
|
| Prewarm Session Time Limit | X | Specifies the amount of time after which a prewarm session will automatically log off. This setting is not configured by default. | |
| ShowDiskActivityIcon | X | This setting is not supported in this release. | |
| Single sign-on retry timeout | X | Specifies the time, in milliseconds, after which single sign-on is retried. Set the value to 0 to disable single sign-on retry. The default value is 5000 milliseconds. This setting is enabled by default. |
|
| Toggle Display Settings Control | X | Determines whether to disable the Settings tab in the Display control panel when a client session uses the PCoIP display protocol. This setting is enabled by default. |
Agent Security Setting
The Agent Security setting is in the folder in the Group Policy Management Editor.
| Setting | Computer | User | Properties |
|---|---|---|---|
| Accept SSL encrypted framework channel | X | Enables the TLS encrypted framework channel. The following options are available:
This setting is enabled by default. |
Session Collaboration Settings
Session Collaboration settings are in the folder in the Group Policy Management Editor. See Session Collaboration Policy Settings.
Persona Management Settings
Persona Management settings are in the folder in the Group Policy Management Editor. See the Setting Up Virtual Desktops in Horizon 7 document.
Scanner Redirection Settings
Scanner Redirection settings are in the folder in the Group Policy Management Editor. See Scanner Redirection Group Policy Settings.
Serial COM Settings
Serial COM settings are in the folder in the Group Policy Management Editor. See Serial Port Redirection Group Policy Settings.
Smart Card Redirection Settings
Smart card redirection settings are in the folder in the Group Policy Management Editor.
| Setting | Computer | User | Properties |
|---|---|---|---|
| Allow applications access to Local Smart Card readers | X | If enabled, applications can access all local smart card readers even when the smart card redirection feature is installed. When enabled, the desktop is monitored for the presence of a local reader and when detected, the smart card redirection switches off, allowing access to the local readers. The redirection remains off until the next time the user connects to the session. When local access is enabled, applications can no longer access remote readers present on the client. This setting does not apply to RDP or to RDS hosts when the Remote Desktop Services role is enabled. This setting is disabled by default. |
|
| Local Reader Name | X | Specifies the name of a local reader to monitor to enable local access. By default, the reader must have a card inserted to enable local access. You can disable this requirement by using the Require an inserted Smart Card setting. This setting is enabled by default. |
|
| Require an inserted Smart Card | X | If enabled, local reader access is enabled if the local reader has a card inserted. If disabled, local access is enabled as long as a local reader is detected. This setting is enabled by default. |
True SSO Configuration Settings
True SSO configuration settings are in the folder in the Group Policy Management Editor. See Horizon 7 Administration document.
Unity Touch and Hosted Apps Settings
Unity Touch and Hosted Apps settings are in the folder in the Group Policy Management Editor.
| Setting | Computer | User | Properties |
|---|---|---|---|
| Send updates for empty or offscreen windows | X | Specifies whether the client receives updates about empty or offscreen windows. When this setting is disabled, information about window that are smaller than 2x2 pixels, or that are located entirely offscreen, are not sent to the client. This setting is disabled by default. |
|
| Enable UWP support on RDSH platforms | X | When enabled, Universal Windows Platform (UWP) applications can run on Windows 10 virtual desktop (WVD) hosts on Horizon Cloud Service on Azure. When disabled, the application status shows as unavailable in Horizon Agent and the user cannot access the application. Restart the agent VM for this setting to take effect. This setting is disabled by default. |
|
| Enable Unity Touch | X | Determines whether the Unity Touch functionality is enabled on the remote desktop. Unity Touch supports the delivery of published applications in Horizon Client and allows mobile device users to access applications in the Unity Touch sidebar. This setting is enabled by default. |
|
| Enable system tray redirection for Hosted Apps | X | Determines whether system tray redirection is enabled while a user is running published applications. This setting is enabled by default. |
|
| Enable user profile customization for Hosted Apps | X | X | Specifies whether to customize the user profile when published applications are used. If this setting is enabled, a user profile is generated, the Windows theme is customized, and startup applications are registered. This setting is disabled by default. |
| Only launch new instances of Hosted Apps if arguments are different | X | This policy controls the behavior when a published application is launched, but an existing instance of the application is already running inside of a disconnected protocol session. When disabled, the existing instance of the application is activated. When enabled, the existing instance of the application is activated only if the command-line parameters match. This setting is disabled by default. |
|
| Limit usage of Windows hooks | X | Disables most hooks when published applications or Unity Touch are used. This setting is intended for applications that have compatibility issues when OS-level hooks are set. For example, enabling this setting disables the use of most Windows active accessibility and in-process hooks. This setting is disabled by default, which means that all preferred hooks are used. |
|
| Unity Filter rule list | X | Specifies filter rules for unity windows when using published applications. Horizon Agent uses these rules to support custom applications. For information about creating filter rules, see Managing Special Unity Windows. This setting is not configured by default. |
Horizon Agent Direct-Connection Configuration Settings
Horizon Agent direct configuration settings are in the folder in the Group Policy Management Editor. See the View Agent Direct-Connection Plug-In Administration document.
Real-Time Audio-Video Configuration Settings
RTAV configuration settings are in the folder in the Group Policy Management Editor. See Real-Time Audio-Video Group Policy Settings.
USB Configuration Settings for Horizon Agent
See USB Settings in the Horizon Agent Configuration ADMX Template.
VMware AppTap Configuration
The VMware AppTap configuration setting is in the folder in the Group Policy Management Editor.
| Setting | Computer | User | Properties |
|---|---|---|---|
| Processes to ignore when detecting empty application sessions | X | Specifies the list of processes to ignore when detecting empty application sessions. You can specify either a process filename or a full path. Values are not case sensitive. Do not use environment variables in paths. UNC network paths are allowed, example: \\vmware\temp\app.exe. This setting is not configured by default. |
VMware Client IP Transparency Settings
VMware Client IP transparency settings are in the folder in the Group Policy Management Editor.
| Setting | Computer | User | Properties |
|---|---|---|---|
| Default auto detect proxy | X | Default Internet Explorer connection setting. Turns on Automatically detect settings in Internet Options > Local Area Network (LAN) Settings. This setting is not enabled by default. |
|
| Default Proxy Server | X | Default Internet Explorer connection setting for the proxy server. Specifies the proxy server to use in Internet Options > Local Area Network (LAN) Settings. This setting is not enabled by default. |
|
| Enable | X | Enables VMware Client IP Transparency. Remote connections to Internet Explorer use the client's IP address instead of the IP address of the remote desktop machine. This setting takes effect at the next login. If the VMware Client IP Transparency custom setup option is selected in the Horizon Agent installer, this setting is enabled by default. |
|
| Set proxy for Java applet | X | Sets the proxy for Java applets. The following options are available:
This setting is not enabled by default. |
Flash Redirection Settings
Flash redirection settings are in the folder in the Group Policy Management Editor.
| Setting | Computer | User | Properties |
|---|---|---|---|
| Enable flash multi-media redirection | X | Specifies whether Flash Redirection is enabled on the agent. | |
| Minimum rect size to enable FlashMMR | X | Specifies the minimum rect size to enable Flash Redirection. The default width is 320 pixels and the default height is 200 pixels. |
HTML5 Multimedia Redirection Settings
HTML5 multimedia redirection settings are in the folder in the Group Policy Management Editor. See VMware HTML5 Feature Policy Settings.
VMware Virtualization Pack for Skype for Business Settings
HTML5 multimedia redirection settings are in the folder in the Group Policy Management Editor. See VMware Virtualization Pack for Skype for Business Policy Settings.
